Hi thanks ill have to take a look the detection audit log is getting
quite large ill have to grep the id. What i was asking though is how
can i put the exception in a location chaining the rule by id and leave
the core rule as default as i dont want to have to duplicate the
lengthy rules all over the place and is quite painful via terminal.

Ofer Shezaf wrote:

Your rule
will exclude if
there is a referer header at all, and not just if the offending value
appears
in the referer header.

By the
way, you may have noticed in the rule set that
I assumed that SQL injection and XSS would generate false positives on
the
referer header and it is already excluded in the rule set. I did not
anticipate
for command injections. Can you tell me what pattern in the referer
triggers
this?